2014 zap workshop 2: contexts and fuzzing
TRANSCRIPT
Presentation Title
OWASPCanberra 2014
OWASP ZAP
Workshop 2:
Contexts and Fuzzing
Simon Bennetts
OWASP ZAP Project LeadMozilla Security Team
The plan
The main bit
Demo feature
Let you play with feature
Answer any questions
Repeat
Plans for the future sessions
Contexts
Assign characteristics to groups of URLs
Like an application: Per site: http://www.example.com
Site subtree: http://www.example.com/app1
Multiple sites: http://www.example1.com
http://www.example2.com
Practical 1
Create and edit a Context definition
Add and remove context to scope
Try using ZAP with different modes and scopes
Contexts
Allow you to define: Scope
Session handling
Authentication
Users
'Forced user'
Structure
with more coming soon
Practical 2
Define a context for an app with authentication
Configure the authentication method, logged in/out indicator and 1+ users(s)
Spider / scan using the Forced User mode
Basic Fuzzing
Current 'basic' fuzzing: Sending attack vectors at 1 selected target
Just supports files of attack vectors
JbroFuzz files included by default
FuzzDb and SVN Digger files on Marketplace
You can add your own files
Handles anti CSRF tokens
Results can be searched
Practical 3
Fuzz input fields
Fuzz input fields in forms with an anti CRSF token
Search fuzzing results
Download and use FuzzDb and SVN Digger files
Advanced Fuzzing
'MultiFuzz' on the Marketplace: Sending attack vectors at multiple selected targets
Range of attack vectors, not just files
Supports graphing of results
Google Summer of Code Project
Alpha quality
Practical 4
Download MultiFuzz
Try out all of its features
Provide feedback :)
Advanced Scanning
Accessed from: Right click Attack menu
Tools menu
Key board shortcut (default Ctrl-Alt-A)
Gives you fine grained control over: Scope
Input Vectors
Custom Vectors
Policy
Practical 5
Scan one URL with one scan rule
Play with the thresholds and strengths
Scan custom input vectors
Create, save and load Policies
Future Sessions?
Scripts
Zest
The API
Websockets
Marketplace add-ons
Intro to the source code?
What do you want??
K:\Docs\security\owasp\images\future.png
Any Questions?
http://www.owasp.org/index.php/ZAP
The OWASP Foundationhttp://www.owasp.org
Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.